InfoSec Daily Podcast Episode 397 for May 31, 2011. Tonight's podcast is hosted by Rick Hayes, Beau Woods, and Varun Sharma.
My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011
Where: 116 Federal St., Sunny Pittsburgh, PA.
When: June 10, 2011
Where: Meriden, Connecticut
When: June 11, 2011
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com (email email@example.com for more info)
Begins after BSidesCT Registration cost is $50.00
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
Adrian Will be there
When: Sept 19-22, 2011
Where: Brussels, Belgium
When: September 30th – October 2, 2011
Where: Louisville, KY
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements. Please click the following link to donate to a vitally important cause:
PBS officials say hackers have cracked the network’s website, posting a phony story claiming dead rapper Tupac Shakur was alive in New Zealand, and a group that claimed responsibility for the hacking complained about a recent “Frontline’’ investigative news program on WikiLeaks.
PBS confirmed early yesterday morning on its official Twitter account that the website had been hacked. The phony story had been taken down that morning. It had been posted on the site of the “PBS NewsHour’’ program, which is produced by WETA-TV in Arlington, Va.
Anne Bentley, PBS’s vice president of corporate communications, said in an e-mail that erroneous information posted on the website has been corrected. The hackers also posted login information for two internal PBS sites: one that media use to access the PBS press room and an internal communications website for stations, she said. She added all affected parties were being notified.
David Fanning, executive producer of “Frontline,’’ said he learned of the hacking early yesterday, nearly a week after the program aired its “WikiSecrets’’ documentary about the leak of US diplomatic cables to the WikiLeaks website.
The documentary, produced by WGBH-TV in Boston, generated criticism and debate on the program’s website in recent days from those sympathetic to WikiLeaks founder Julian Assange and from those who thought the program was fair, Fanning said.
“Frontline’’ producers hear impassioned responses all the time, Fanning said. Having a group attack the PBS website over a news program was unusual but “probably not unexpected,’’ he said.
“From our point of view, we just see it as a disappointing and irresponsible act, especially since we have been very open to publishing criticism of the film . . . and the film included other points of view,’’ Fanning said. “This kind of action is irresponsible and chilling.’’
PBS officials did not immediately respond to phone and e-mail messages.
A group calling itself LulzSec and “The Lulz Boat’’ on Twitter claimed responsibility and posted links to other hacks.
HTC has some good news for anyone who's wanted to root their Android phones: The company announced late Thursday that it will no longer be locking the bootloaders on its phones. Confirmed via a post on HTC’s Facebook page, CEO Peter Chou said that after listening to customer feedback, the company would provide unlocked bootloaders on HTC devices.
"There has been overwhelmingly customer feedback that people want access to open bootloaders on HTC phones. I want you to know that we've listened. Today, I'm confirming we will no longer be locking the bootloaders on our devices. Thanks for your passion, support and patience," Peter Chou, CEO of HTC.
As its name suggests, the bootloader loads the phone’s operating system, and having a locked bootloader means you can’t install your own or a custom operating system on your phone. Locked bootloaders, while requiring a signed certificate from HTC, don’t prevent you from rooting the phone, but still maintain manufacturer control over handsets.
It’s encouraging to hear that HTC listens to its customers’ requests for open bootloaders seriously, and that perhaps handset makers will be willing to cede more control of their devices to users in the future. This announcement likely only applies to future HTC devices, though we’ll be excited to hear if HTC will be retroactively providing unlocked bootloaders on current HTC phones.
Late last month, Motorola announced that it would introduce an unlockable bootloader for its phones later this year.
The problems keep coming for Sony. On Tuesday the company confirmed that someone had hacked into its website and stolen about 2,000 customer names and e-mail addresses.
Close to 1,000 of the records have already been posted online by a hacker calling himself Idahc, who says he's a "Lebanese grey-hat hacker." Idahc found a common Web programming error, called an SQL injection flaw, that allowed him to dig up the records on the Canadian version of the Official Sony Ericsson eShop, an online store for mobile phones and accessories.
The hacker got access to records for about 2,000 customers, including their names and e-mail addresses and a hashed version of users' passwords, said Ivette Lopez Sisniega, a Sony Ericsson Mobile Communications spokeswoman. "Sony Ericsson has disabled this e-commerce website," she said in an e-mail message. "We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers."
Other than the names and e-mail addresses, no personal or banking information was compromised, she said.
Microsoft has Patch Tuesday. Oracle and Adobe are on regular patch cycles, often issuing ten or more patches at once. But many smaller vendors haven't yet developed such rigorous patching processes — and that may make them prime targets for new exploits, experts say.
After years of attacking popular Microsoft file formats such as Word and Excel, attackers moved on to Adobe's PDF and Flash formats. Today, more attacks are focusing on Oracle's Java. As they became subject to more frequent attacks, software vendors strengthened their platforms to make them more difficult to assault.
But for the most part, smaller software vendors have not had to weather the scrutiny of cybercriminals and security researchers. And because of this lack of scrutiny, attackers are beginning to develop more targeted and sophisticated attacks that take advantage of flaws in less popular software that has not had as much rigorous security testing.
"At some point, [attackers] are going to exhaust all the different file formats that they can exploit," says Mike Dausin, manager of advanced security intelligence for HP TippingPoint's DVLabs. "It was only .exes at first, and then it was screen savers, and on and on down the list.
… As the holes get plugged, [attackers] will likely move on to the more exotic formats."
Large numbers of companies using Cisco network equipment are still vulnerable to a single security vulnerability flaw nearly two years after a patch was issued, an analysis of network scans by Dimension Data for its 2011 Network Barometer Report has found.
Overall, Dimension's Technology Lifecycle Management (TLM) assessment service discovered that an average of 73 percent of the 270 assessments it carried out on Cisco-dominated global companies had at least one known device security vulnerability that had yet to be patched. This held true for companies of all sizes and across all geographies.
Surprisingly, a single prominent vulnerability, Cisco PSIRT (Cisco Product Security Incident Response Team) 109444, was found on 66 percent of the networks looked at, accounting for much of the security exposure it found.
PSIRT 10944 has been rated by the industry Common Vulnerability Scoring System (CVSS) as being between 6.4 and 7.8 out of 10 in terms of severity (which is to say, moderately critical), and capable of allowing an attacker to hit affected devices with a successful DDoS attack, said Dimension Data.
As a prisoner at the Jixi labour camp, Liu Dali would slog through tough days breaking rocks and digging trenches in the open cast coalmines of north-east China. By night, he would slay demons, battle goblins and cast spells.
Liu says he was one of scores of prisoners forced to play online games to build up credits that prison guards would then trade for real money. The 54-year-old, a former prison guard who was jailed for three years in 2004 for "illegally petitioning" the central government about corruption in his hometown, reckons the operation was even more lucrative than the physical labour that prisoners were also forced to do.
"Prison bosses made more money forcing inmates to play games than they do forcing people to do manual labour," Liu told the Guardian. "There were 300 prisoners forced to play games. We worked 12-hour shifts in the camp. I heard them say they could earn 5,000-6,000rmb [£470-570] a day. We didn't see any of the money. The computers were never turned off."
Memories from his detention at Jixi re-education-through-labour camp in Heilongjiang province from 2004 still haunt Liu. As well as backbreaking mining toil, he carved chopsticks and toothpicks out of planks of wood until his hands were raw and assembled car seat covers that the prison exported to South Korea and Japan. He was also made to memorise communist literature to pay off his debt to society.
But it was the forced online gaming that was the most surreal part of his imprisonment. The hard slog may have been virtual, but the punishment for falling behind was real.
"If I couldn't complete my work quota, they would punish me physically. They would make me stand with my hands raised in the air and after I returned to my dormitory they would beat me with plastic pipes. We kept playing until we could barely see things," he said.
It is known as "gold farming", the practice of building up credits and online value through the monotonous repetition of basic tasks in online games such as World of Warcraft. The trade in virtual assets is very real, and outside the control of the games' makers. Millions of gamers around the world are prepared to pay real money for such online credits, which they can use to progress in the online games.
The trading of virtual currencies in multiplayer games has become so rampant in China that it is increasingly difficult to regulate. In April, the Sichuan provincial government in central China launched a court case against a gamer who stole credits online worth about 3000rmb.
The lack of regulations has meant that even prisoners can be exploited in this virtual world for profit.
According to figures from the China Internet Centre, nearly £1.2bn of make- believe currencies were traded in China in 2008 and the number of gamers who play to earn and trade credits are on the rise.
It is estimated that 80% of all gold farmers are in China and with the largest internet population in the world there are thought to be 100,000 full-time gold farmers in the country.
In 2009 the central government issued a directive defining how fictional currencies could be traded, making it illegal for businesses without licences to trade. But Liu, who was released from prison before 2009 believes that the practice of prisoners being forced to earn online currency in multiplayer games is still widespread.
"Many prisons across the north-east of China also forced inmates to play games. It must still be happening," he said.
"China is the factory of virtual goods," said Jin Ge, a researcher from the University of California San Diego who has been documenting the gold farming phenomenon in China. "You would see some exploitation where employers would make workers play 12 hours a day. They would have no rest through the year. These are not just problems for this industry but they are general social problems. The pay is better than what they would get for working in a factory. It's very different," said Jin.
"The buyers of virtual goods have mixed feelings … it saves them time buying online credits from China," said Jin.
The emergence of gold farming as a business in China – whether in prisons or sweatshops could raise new questions over the exporting of goods real or virtual from the country.
"Prison labour is still very widespread – it's just that goods travel a much more complex route to come to the US these days. And it is not illegal to export prison goods to Europe, said Nicole Kempton from the Laogai foundation, a Washington-based group which opposes the forced labour camp system in China.